aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux
diff options
context:
space:
mode:
authorDavid Howells <dhowells@redhat.com>2008-04-29 04:01:26 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2008-04-29 11:06:16 -0400
commit70a5bb72b55e82fbfbf1e22cae6975fac58a1e2d (patch)
tree8e6dcaf5630388d81b23845f293789f2d6a3596b /include/linux
parent4a38e122e2cc6294779021ff4ccc784a3997059e (diff)
keys: add keyctl function to get a security label
Add a keyctl() function to get the security label of a key. The following is added to Documentation/keys.txt: (*) Get the LSM security context attached to a key. long keyctl(KEYCTL_GET_SECURITY, key_serial_t key, char *buffer, size_t buflen) This function returns a string that represents the LSM security context attached to a key in the buffer provided. Unless there's an error, it always returns the amount of data it could produce, even if that's too big for the buffer, but it won't copy more than requested to userspace. If the buffer pointer is NULL then no copy will take place. A NUL character is included at the end of the string if the buffer is sufficiently big. This is included in the returned count. If no LSM is in force then an empty string will be returned. A process must have view permission on the key for this function to be successful. [akpm@linux-foundation.org: declare keyctl_get_security()] Signed-off-by: David Howells <dhowells@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Cc: Paul Moore <paul.moore@hp.com> Cc: Chris Wright <chrisw@sous-sol.org> Cc: James Morris <jmorris@namei.org> Cc: Kevin Coffman <kwc@citi.umich.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'include/linux')
-rw-r--r--include/linux/keyctl.h1
-rw-r--r--include/linux/security.h20
2 files changed, 20 insertions, 1 deletions
diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h
index 3365945640c9..656ee6b77a4a 100644
--- a/include/linux/keyctl.h
+++ b/include/linux/keyctl.h
@@ -49,5 +49,6 @@
49#define KEYCTL_SET_REQKEY_KEYRING 14 /* set default request-key keyring */ 49#define KEYCTL_SET_REQKEY_KEYRING 14 /* set default request-key keyring */
50#define KEYCTL_SET_TIMEOUT 15 /* set key timeout */ 50#define KEYCTL_SET_TIMEOUT 15 /* set key timeout */
51#define KEYCTL_ASSUME_AUTHORITY 16 /* assume request_key() authorisation */ 51#define KEYCTL_ASSUME_AUTHORITY 16 /* assume request_key() authorisation */
52#define KEYCTL_GET_SECURITY 17 /* get key security label */
52 53
53#endif /* _LINUX_KEYCTL_H */ 54#endif /* _LINUX_KEYCTL_H */
diff --git a/include/linux/security.h b/include/linux/security.h
index 3ebcdd00b17d..adb09d893ae0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1009,6 +1009,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1009 * @perm describes the combination of permissions required of this key. 1009 * @perm describes the combination of permissions required of this key.
1010 * Return 1 if permission granted, 0 if permission denied and -ve it the 1010 * Return 1 if permission granted, 0 if permission denied and -ve it the
1011 * normal permissions model should be effected. 1011 * normal permissions model should be effected.
1012 * @key_getsecurity:
1013 * Get a textual representation of the security context attached to a key
1014 * for the purposes of honouring KEYCTL_GETSECURITY. This function
1015 * allocates the storage for the NUL-terminated string and the caller
1016 * should free it.
1017 * @key points to the key to be queried.
1018 * @_buffer points to a pointer that should be set to point to the
1019 * resulting string (if no label or an error occurs).
1020 * Return the length of the string (including terminating NUL) or -ve if
1021 * an error.
1022 * May also return 0 (and a NULL buffer pointer) if there is no label.
1012 * 1023 *
1013 * Security hooks affecting all System V IPC operations. 1024 * Security hooks affecting all System V IPC operations.
1014 * 1025 *
@@ -1538,7 +1549,7 @@ struct security_operations {
1538 int (*key_permission) (key_ref_t key_ref, 1549 int (*key_permission) (key_ref_t key_ref,
1539 struct task_struct *context, 1550 struct task_struct *context,
1540 key_perm_t perm); 1551 key_perm_t perm);
1541 1552 int (*key_getsecurity)(struct key *key, char **_buffer);
1542#endif /* CONFIG_KEYS */ 1553#endif /* CONFIG_KEYS */
1543 1554
1544#ifdef CONFIG_AUDIT 1555#ifdef CONFIG_AUDIT
@@ -2732,6 +2743,7 @@ int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long f
2732void security_key_free(struct key *key); 2743void security_key_free(struct key *key);
2733int security_key_permission(key_ref_t key_ref, 2744int security_key_permission(key_ref_t key_ref,
2734 struct task_struct *context, key_perm_t perm); 2745 struct task_struct *context, key_perm_t perm);
2746int security_key_getsecurity(struct key *key, char **_buffer);
2735 2747
2736#else 2748#else
2737 2749
@@ -2753,6 +2765,12 @@ static inline int security_key_permission(key_ref_t key_ref,
2753 return 0; 2765 return 0;
2754} 2766}
2755 2767
2768static inline int security_key_getsecurity(struct key *key, char **_buffer)
2769{
2770 *_buffer = NULL;
2771 return 0;
2772}
2773
2756#endif 2774#endif
2757#endif /* CONFIG_KEYS */ 2775#endif /* CONFIG_KEYS */
2758 2776